We've got a website up and running, called sasse. We use a simple SSH and Git (Github) deployment strategy, where code is simply pull:ed from the Github account to the deployment server (and refreshed).

Currently, the website's files are owned by a sasse user on the server, but with group write permissions. The files are located in /home/sasse/sasse.

This means that it works fine to do git pull when you're logged in as sasse on the server, but if I do it as my personal account (sudo account which has been added to the sasse group), any changed files will belong to me; my primary group is not sasse. I.e. after pulling a change which affected COPYRIGHT.txt:

This means that I have to remember to do chown -R sasse:sasse . if I want to keep the original ownership status -- which is necessary if someone else is going to be able to pull next time. And they quite possibly are!

It is necessary that more than one person can deploy code to our server, so the sasse account is impersonal. I didn't want people to log into it, but to use a personal account with the relevant group memberships/permissions.

Questions:

What is the best way to handle a situation where multiple people need access to deploy code on the same server?

Should we simply allow everyone to use the sasse account for deployment instead?*

Should we maintain a strategy where users have group access (or sudo access) to the repository but somehow work around the problem of permissions getting messed up? If so, how? Can I make git pull "as a specific user"?

* Possibly by adding public keys to authorized_keys and not letting sasse edit that file itself